A Reminder That Security Does Not Come About By Accident But Needs To Be Planned For.

2013 is the Year of the Snake in Chinese culture. In the healthcare world, I predict 2013 will be the Year of the Data Breach. The numbers back me up: 94 percent of healthcare organizations surveyed suffered data breaches, according to the Third Annual Benchmark Study on Patient Privacy & Data Security, a report recently issued by Ponemon Institute. Given their frequency, data breaches have become what I call an everyday disaster.

Healthcare organizations want and need to protect against organizational and financial stresses of data breaches, but the pervasive nature of electronic protected health information (PHI) makes this a difficult task — an understatement — to be sure.

Data breaches don’t have to be disastrous if organizations take steps to operationalize pre-breach and post-breach processes to better protect patient data and minimize breach impact. With that in mind, a handful of colleagues and I assembled a list of 11 recommendations for a healthier organization in 2013 — and beyond:

1. Establish mobile device and Bring Your Own Device (BYOD) policies that include technical controls and employee and management procedures. I started off with mobile devices for a reason. According to the Ponemon study, 81percent of organizations permit employees and medical staff to use their own mobile devices such as smartphones or tablets to connect to their networks or enterprise systems such as email. This means PHI can travel on unsecured devices in the pockets or purses of well-meaning healthcare employees — devices that are subject to theft or loss.

The Ponemon report listed actions some healthcare organizations are taking to secure mobile devices: limiting access from devices to critical systems, including those that connect to PHI, and requiring users to read and sign an acceptable use policy prior to connecting to these systems. Even the Department of Health and Human Services has issued strategies for managing the use of mobile devices in a healthcare environment.

2. Control the cloud or it’ll control you. Make it a point to fully understand what cloud service-level agreements mean in practice and then push for meaningful information on failover and disaster recovery practices used. – Richard Santalesa, senior counsel, InfoLawGroup LLP

3. Have a current breach response plan that is ready and tested. This will help pave the way for a well-executed response that can mitigate the financial, legal and reputational harm caused by a security incident involving patient information. – Marcy Wilder, partner and director of global privacy and information management practice, Hogan Lovellis